Guidebook on SME
Business Continuity Planning
APEC Small and Medium Enterprise Working Group (SMEWG)
August 2013
Asia-Pacific
Economic Cooperation
Guidebook on SME Business
Continuity Planning
0. How to Use This Guidebook ................................................ 03
1. Introduction .......................................................................... 03
2. Warm Up ...............................................................................03
3. BCP Framework ...................................................................05
Step 1 Determine BCP Purpose, Scope, and Team .......................05
4. Your Lifeline Businesses and the Threatening Risks ..........06
Step 2 Prioritized Activities (PA) and Recovery Time Objective
(RTO) .......................................................................................07
Step 3 What Do You Need to Resume Key Activities? ...................09
Step 4 Risk Assessment – Know Your Disaster Scenarios ................. 10
5. Your Survival Strategies ....................................................... 14
Step 5 Do Not Forget Pre-Disaster Protection and Mitigation ....... 15
Step 6 Emergency Response to Disaster .........................................17
Step 7 BC Strategies to Early Resumption ........................................24
Step 8 Be Financially Prepared .........................................................28
Step 9 Exercise Makes Your Plan Functional ...................................31
6. PDCA: Continuous Improvement .......................................32
Step 10 Ongoing Review and Improvement ..................................32
Appendix..................................................................................35
1. Blank Forms .....................................................................................36
2. BCP Checklist ..................................................................................57
02
BCP Guidebook 2013
0. How to Use This Guidebook
This Guidebook is intended to help small and medium-sized enterprises (SME)
introduce business continuity plan (BCP). It presents 10 easy steps that SME
readers can follow to develop their own BCP. In each step, forms have been
prepared to assist readers. You should fill in those forms to suit the needs of
your company. When you finish all the forms, you will have a complete business
continuity plan for your company.
There is one important point you should remember: introducing BCP is not a
simple matter of drafting a business continuity plan on paper. Adopting BCP is
a decision making by a business owner to protect their company from various
disasters and accidents and to enhance their company’s ability to survive by
carrying out planned continuity strategies. Let’s proceed with this in mind.
1. Introduction
Every business owner wants to expand their business, protect their employees,
and contribute to society by supplying their products or services. You, as a
business owner, have to protect your business not only on a fine day but also
on a rainy day and even on a stormy day. You have to successfully compete
in a tough market under ordinary circumstances, but also need resilience if you
are to successfully survive a crisis such as a natural disaster or a fire. You do not
want to see your business destroyed by a disaster, accident, terrorist attack, or
other incident. Is your company prepared for disasters?
“Failing to prepare is preparing to fail” said Benjamin Franklin. If you have not
prepared for such incidents, you are (unconsciously) preparing for failure when
a disaster or accident strikes. Business continuity plan (BCP) is the solution for
protecting your business during a crisis.
2. Warm Up
Consider the simple example of a traffic accident. Even if you always try to
drive safely, there is no 100% guarantee that you will be able to avoid a traffic
accident. What is the disaster (or worst-case) scenario for a traffic accident?
One in which you, the driver, are killed or sustain a severe injury that causes
permanent disability and keeps you from returning to life as you knew it before.
What is the disaster scenario for your company in a disaster? Your company
would be fatally wounded if critical resources sustain devastating damage that
would force you to give up on recovery (death scenario). Or your company
might sustain severe damage that would cause an extensive disruption in
your business. As a result, you might lose important customers and be forced
to scale down your operations (permanent disability scenario). These are the
worst-case scenarios that your company should avoid at all costs.
But if you are lucky and only sustain minor injuries in a traffic accident, you will
be able to recover in a short period of time and return to normal life. Likewise,
the better scenario for your company is to keep damage contained to a low
03
BCP Guidebook 2013
level such that it would be able to resume operations at a normal or higher
level of functionality in a short period of time. This is your survival scenario. BCP
is all about your company’s ability to achieve its survival scenario.
Here are some warm-up questions to get you started!
Q1: What is your company's disaster scenario that might lead to bankruptcy?
Q2: How soon does your company have to recover to survive from a disaster-
related disruption?
Q3: What are the critical resources whose availability determines the life or
death of your company?
Q4: Within 5 to 10 years, what kinds of disasters and accidents are most likely to
impact you, potentially triggering a worst-case scenario?
Were you able to answer the above questions easily? If not, don't worry, this
Guidebook is here to help you. But if you were, you already have a mindset
prepared for BCP. This Guidebook will guide you through 10 easy steps to build
your company’s Business Continuity Plan (BCP) program. These 10 steps are
based on the International Standard ISO22301, for Business Continuity Plan.
10 Steps for BCP
Step 1 Determine BCP Purpose, Scope, and Team
Step 2 Prioritized Activities (PA) and Recovery Time Objective (RTO)
Step 3 What Do You Need to Resume Key Activities?
Step 4 Risk Assessment – Know Your Disaster Scenarios
Step 5 Do Not Forget Pre-Disaster Protection and Mitigation
Step 6 Emergency Response to Disaster
Step 7 BC Strategies to Early Resumption
Step 8 Be Financially Prepared
Step 9 Exercise Makes Your Plan Functional
Step 10 Ongoing Review and Improvement
04
BCP Guidebook 2013
3. BCP Framework
When you start BCP planning, you need to create a solid foundation (or
framework) for your company’s BCP program by addressing these three
elements:
1) Purpose: Why is your company introducing BCP?
2) Scope: Which parts of your company will introduce BCP?
3) Leader: Who will serve as leader of your BCP activities?
It is very important that not only top management show visible strong
leadership, but also that all employees are fully aware of the BCP framework
(purpose, scope, and leader).
Step 1 Determine BCP Purpose, Scope, and Team
(1) Purpose
You should make the purpose clear as to why your company is going to
introduce BCP. BCP is to protect your business operation from disasters and
accidents. Your clear purpose will be a very important criterion in determining
priorities of your key products or services and selections of your business
continuity strategies. What is your BCP purpose? The first priority is to protect
people, your employees and visitors to your premises. The second is to protect
your business, fulfilling your contractual obligations to your customers and
users, meeting social responsibility and contributing to the local society and
economy. It will secure employment and protect employees’ livelihoods.
(2) Scope
The question is which section(s) of your company would you want to introduce
BCP? You can limit the scope to key sections (or departments) which introduce
BCP. For example, you can select the main factory which manufactures the
company’s top brand product or NO.1 shop which sells most. You can decide
the scope of the BCP based on your business needs and own circumstances.
You have to include the core sections which are very critical to your company's
survival.
(3) BCP Leader
You need to appoint a BCP leader who takes the initiative in company-wide
BCP activities. BCP leaders should be given authority and responsibility, which
are necessary to carry out his or her role. BCP is the company-wide activities
that require active participation and cooperation from the relevant sections.
It is desirable to nominate a person who is widely trusted in the company. If
the company size requires it, a support team should be selected to work under
the direction of the BCP leader. Management need to ensure the necessary
resources, including a budget which is available for the BCP leader and
team to carry out their duties. The SME owner (senior management) should
demonstrate a visible commitment to BCP activities and should know that only
verbal instructions are not enough to achieve successful results.
05
BCP Guidebook 2013
Fill in Form 1 regarding your company’s BCP framework.
4. Your Lifeline Businesses and the Threatening Risks
The purpose of BCP is to protect your company and business operations even
when a disaster or accident occurs and disrupts operations. First, you will focus
only on your company’s operations. Of your various business activities, which
are your company’s lifeline (or critical) businesses? Which business activities
should be given top priority for recovery if disrupted by a disaster? What
resources are necessary to keep those lifeline businesses operating? Without
those resources, the company’s top priority activities will not be able to be
resumed. Second, consider the risks to your company. What kinds of risks,
such as natural disasters or accidents, are most likely to seriously damage the
company’s assets, businesses, and supporting resources? In this chapter, you
will gain a renewed understanding of your company’s operations by looking
at these two elements: lifeline (critical) business activities and the risks that
threaten them.
Form 1 BCP Framework
BCP Purpose
Protect People
Protect Business Activities
Recover with Local Community
BCP Leader and Team
BCP Leader
BCP Team Members
BCP Scope
Departments to introduce BCP
06
BCP Guidebook 2013
Step 2 Prioritized Activities (PA) and Recovery Time Objective
(RTO)
In Step 2, you will consider what is your company’s lifeline product or service?
Which product or service should be recovered (be delivered) as the first priority
when a natural disaster (or an accident) disrupts the company’s operations?
Which business activity makes a top selling product? Which shop sells most
in your company? Those critically important business activities are called
Prioritized Activities (PAs). You have to identify the Prioritized Activities of your
company. As the second step, you should know the impact (timeline) of total
disruption to the main activities listed. How soon would the total disruption
of these activities become unacceptable to your company? (This period is
called Maximum Tolerable Period of Disruption / MTPD). What must be done to
get your business operational again in the shortest possible timeframe, before
heading towards exiting the business or filing for bankruptcy? The importance
of this simple analysis is to focus only on the impacts of disruption, setting
aside risk factors. By disregarding risk factors, such as occurrence probability
and severity of damage, during the process of analyzing your business and
identifying Prioritized Activities, you will gain a clearer understanding of how
soon your company has to resume operations to avoid bankruptcy.
Start by assessing the impacts of your company’s main business activities when
those are disrupted by a natural disaster or accident. Enter your company’s
business activities (product/service lines) in the left column of Form 2-1. You
will compare the importance of the activities listed. The level of importance
of each business activity (product/service line) should be rated using two
criteria: external and internal impacts. First rate the external impacts, those
which might affect customers, users, and society at large. How seriously might
your customers, users, the environment, or society at large be impacted if your
product or service were to stop being delivered? How long will your customers
willingly wait for you to resume operations? How soon might your key customers
switch to another provider? If you deliver certain types of products, such as
medical supplies, the disruption of such deliveries could threaten the lives of
end users. Rate the degree of the external impact as large (L), medium (M) or
small (S), using your subjective judgment to determine the relative differences
between those three levels.
Internal impacts should be reviewed based on various criteria such as financial
status (e.g. cash flow), operational problems, and the reputation of the
company. When the production line of product A is shut down, how serious of
an impact will it have, over time, on the company’s revenue? If your top brand
service is suspended, what level of impact might it have on the company's
cash flow? Rate the degree of the internal impact as large (L), medium (M) or
small (S).
Next, you should know the timeline of the impact of a total disruption. How
soon would a total disruption in those activities become unacceptable to your
company? This period is called the Maximum Tolerable Period of Disruption, or
07
BCP Guidebook 2013
MTPD. This is the very latest time at which your company would have to resume
the listed activities before reaching a worst-case scenario that would end in
bankruptcy.
Enter the listed activities in Form 2-2 (left column). Consider the MTPD for each
activity listed and select one of the five columns showing periods of time (3
days, 1 week, 2 weeks, 1 month, 2 months or more). Determine the period by
which each listed activity has to be resumed. For example, if the first activity’s
MTPD is one month, place a checkmark (
) in the "1 month" column. If you
have to restore delivery to a key customer within 2 weeks, write "2 weeks" in the
rightmost column entitled Recovery Time Objective (RTO). Repeat this process
for all listed activities.
Now that you have analyzed and evaluated the internal and external impacts
and identified the Recovery Time Objective of the main activities of your
company, you will select and identify your company’s Prioritized Activities and
set Recovery Time Objective (RTO) from a company-wide perspective in Form
2-3. Your company may select one or more PA(s) depending on your business
operations.
Form 2-1 Impact Level Comparison Chart
Departments Handling Each Product/Service
Impact Levels
External Impact Internal Impact
Product / Service A L : M : S L : M : S
Product / Service B L : M : S L : M : S
Product / Service C L : M : S L : M : S
Product / Service D L : M : S L : M : S
Product / Service E L : M : S L : M : S
Form 2-2 Maximum Tolerable Period of Disruption
Departments Handling
Each Product/Service
Time When Impact Becomes Unacceptable MTPD
Recovery Time
Objective (RTO)
Product / Service A ~3 ds ~1 wk ~2 wks ~1 mo ~2 mos.
Product / Service B ~3 ds ~1 wk ~2 wks ~1 mo ~2 mos.
Product / Service C ~3 ds ~1 wk ~2 wks ~1 mo ~2 mos.
~3 ds ~1 wk ~2 wks ~1 mo ~2 mos.
~3 ds ~1 wk ~2 wks ~1 mo ~2 mos.
Form 2-3 Prioritized Activities and RTOs
Prioritized Activity(ies)
Recovery Time Objective(s)(RTO)
08
BCP Guidebook 2013
Step 3 What Do You Need to Resume Key Activities?
Prioritized Activities (PAs) are supported by various internal and external
resources. When disrupted, PAs are going to be resumed and those supporting
resources should be available and ready. In Step 3, you need to identify and
list the necessary resources in Form 3-1. In the subsequent steps, you will review
risks to the listed resources, and their vulnerabilities. You will consider what
measures are necessary to protect, secure availability, or prepare alternative
options. Therefore, this list is very important and basic information in your BCP
planning.
List the necessary resources in Form 3-1, dividing them into three categories
(1) internal resources, (2) essential services, and (3) business partners. The
first category is internal resources, which are usually under your company’s
control. These include buildings, equipment, machinery, tools, stock, materials,
IT systems, documents, and drawings, etc. It is also important that human
resources be reviewed from the perspective of employees’ special skills and
expertise.
The second group is, Essential Utilities such as electricity, gas, fuel, water, and
sewage etc. Communication network (phone and Internet) and transportation
network (roads, railroads, and ports) are included. These resources are
provided by public entities. They are not usually under your control. Typically,
ordinary companies cannot afford to arrange alternative sources for essential
services due to the prohibitively high costs, and their availability. Therefore,
these would become a basic condition for resumption of your PAs.
The third group is, your company’s Business Partners and your upstream and
downstream business chains. This group (direct and indirect partners) is not
only your suppliers, but also your customers. In the two catastrophic natural
disasters, the East Japan Earthquake and Thailand’s Floods which occurred in
2011, many companies were seriously affected by disruptions to their supply
chains. Many companies, which were not directly damaged by the natural
disasters, were also seriously affected.
Form 3-1 Necessary Resources for Prioritized Activities
Necessary Resources for Prioritized Activities
Type of Resources Contents
Internal Resources
Building
Equipment / Machinery
Inventory
People
IT System
Fund
Other:
09
BCP Guidebook 2013
Essential Social Services
Electricity
Gas
Water
Phone / Communication
Trafc / Roads
Other:
Supplies
Direct supplier
2nd, 3rd Supplier
Customer
Other:
(Note: The processes of identifying Prioritized Activities, setting Recovery Time
Objectives, and listing necessary resources constitute a Business Impact Analysis
(BIA). This term is commonly used in BCP.)
Step 4 Risk Assessment – Know Your Disaster Scenarios
In Step 4, you need to clearly identify risks which may seriously threaten your
company (or may lead to a catastrophic scenario). You list the kinds of risks
your company is exposed to. You analyze and evaluate those risks, and select
risks which your company needs to take measures with ‘high priority’. You also
need to analyze and estimate to what extent your critical resources may be
damaged by such risks, and how long it will take to restore such damaged
resources. You compare the estimated restoration period with your company’s
Recovery Time Objective (RTO), set in Step 2, and determine which resources
are critical to avoid catastrophic scenarios.
The resources which need attention include those where the restoration period
exceeds the RTO and those that do not exceed it. If essential services such
as electricity, water, phone etc, take a longer period for the service to be
restored than your RTO, you may need to reconsider your RTO and wait until
such resources and services become available.
Form 4-1 assists in the process of identifying, evaluating, and prioritizing risks.
First, enter the risks your company is exposed to in the leftmost column. These
are risks which could potentially cause a disruption in your business operations
or could lead to a worst-case scenario (bankruptcy). For example, risks to your
company might include natural disasters such as earthquakes, floods, and
typhoons, or industrial disasters such as fire, explosion, blackout, leakage of
chemical substances or intentional acts such as terrorist attacks, sabotage. The
past history of such natural disasters, hazard maps, and risk information for your
local area may be published by local governments and public organizations. If
available, these can be very useful resources in conducting the risk assessment
in this step.
10
BCP Guidebook 2013
Next, evaluate the “Impact” and “Likelihood” of each risk, marking each as
either H (high), M (medium), or L (low) in the columns indicated. The criteria for
rating these items are shown in Table 4-1.
Table 4-1 Risk - Likelihood/Impact Scoring Scale
Rank Likelihood Impact
High Likely
Disastrous, Severe damage
Threatening the company
Death, multiple injuries
Middle Moderate likely
Medium level damage
Affecting operations,
Multiple injuries
Low Unlikely
Insignicant damage
Minor injuries
After you have entered L ,M or S in both the “Impact” and “Likelihood” columns
of Form 4-1, assign them an order of priority in which measures need to be
taken. Indicate the priority number in the rightmost “Priority” column.
Form 4-1 Risk Impact and Likelihood Comparison Chart (sample)
Risk Impact Likelihood Priority
Earthquake H M L H M L 1
Flood H M L H M L 2
H M L H M L
H M L H M L
Next, select a top priority risk (e.g. earthquake) and estimate the level of
damage and length of time needed for the restoration of resources should
they be damaged as the result of an incident or a disaster. The estimated
restoration period should be compared against your company’s Recovery Time
Objective (RTO), which was established in Form 2-3. Determine the resources
for which measures need to be taken.
Proceed through the following eight steps and enter the appropriate data
in the columns indicated (by arrows) in Form 4-2. Separate forms should be
completed for each selected risk because the expected damage could vary
widely by risk.
1) Enter the critical resources that were identified in Step 3
2) Enter the prioritized risk
3) Enter an outline of estimated damages to your facilities
11
BCP Guidebook 2013
4) Enter estimated levels of damage
5) Enter estimated periods for repair, restoration, or recovery
6) Mark the graph bars to correspond to the length indicated in item (5) above
7) Draw your RTO line (see your Form2-3)
8) Determine whether measures need to be taken for each listed resource to
achieve RTO and place a mark in the column indicated
The resources for which measures may need to be taken may include both
those whose restoration period exceeds your RTO and those that do not. If
essential services such as electricity, water, and phone service take longer
to get back online than your RTO, you may need to reconsider your RTO in
consideration of the wait-time needed for the restoration of those resources.
12
BCP Guidebook 2013
Form 4-2 Resource Damage Estimate Sheet (sample)
Risk Earthquake Assumed recovery period
Measures
needed
Assumed damage ○○○
Day
Day (shown by graph)
Necessary resources Damage 3 days 1 wk 2 wks 1 mo 2 mos 3 mos
Internal Resources
Building ○○○ 7 ds
Equipment /
Machinery
○○○ 30 ds
Inventory ○○○ 3 ds
People ○○○ 3 ds
IT System ○○○ 10 ds
Fund ○○○
Other:
Essential Social
Services
Electricity ○○○ 3 ds
Gas ○○○ 30 ds
Water ○○○ 15 ds
Phone /
Communication
○○○ 10 ds
Trafc / Roads ○○○ 8 ds
Other:
Supplies
Direct supplier ○○○ 30 ds
2nd, 3rd Supplier ○○○ 20 ds
Customer ○○○ 10 ds
other
13
BCP Guidebook 2013
The details regarding measures to be taken will be reviewed in Steps 5 to 7
below.
Examples of such measures are as follows:
1) Protection (Prevention) and Mitigation- see Step 5
- Anti-earthquake reinforcements to buildings
- Installation of equipment restraints
2) Emergency Response (Incident Response)- see Step 6
- Evacuation plan formulation
- Development of safety confirmation procedures
3) Strategies for the Early Resumption of Prioritized Activities- see Step 7
- Alternate site recovery
- IT system back ups
The required measures differ depending on the type of disaster experienced
since damage estimates can vary widely. This Guidebook guides you through a
process in which you select one risk and then proceed to estimate the damage
that would be sustained as a result. For SME owners, it might be difficult at first
to prepare for multiple risks. We suggest starting with your top priority risk first,
and then repeat the process for other risks if your company can afford to do
so.
5. Your Survival Strategies
In this section, you are going to work on the core items of your company’s
BCP. You will plan and implement your company’s Business Continuity (BC)
Strategies to achieve the Recovery Time Objective (RTO) you set in Step 2 (Form
2-3). There are three phases to a BC Strategy, all of which are important and
necessary for achieving your RTOs. You will identify the necessary measures for
your company in consideration of these three phases
(1) Protection and mitigation (Step 5)
This phase involves the protection (prevention) or mitigation of the damage
caused by an incident so that Prioritized Activities can be resumed quickly
in accordance with their RTOs. Protection and mitigation measures primarily
consist of pre-incident measures, but can also include important post-incident
measures intended to contain and minimize damage.
(2) Emergency response (Step 6)
When a disruption affects your company, you have to stabilize the situation
by eliminating danger and protecting your people, assets, and business
operations. This should be done immediately to prevent an emergency
14
BCP Guidebook 2013
situation from becoming an uncontrollable crisis. The first priority of emergency
response is to protect and rescue people. Subsequent priorities are to eliminate
threats and secure safety, protect assets, and prevent further damage and
secondary disasters.
(3) Continuity and recovery strategies (Step 7)
This phase involves planning and implementing strategies for continuing (or
resuming) Prioritized Activities and then restoring normal operations. Continuity
strategies focus on restarting Prioritized Activities immediately using alternative
or temporary measures. Recovery strategies focus on restoring operations to
pre-incident levels.
Protection &
Mitigation
Incident
Response
Continuity/ Recovery
Options
(for an earthquake)
Seismic reinforcement of
structures
Installation of equipment
restraints
Data back-up
Evacuation
Confirmation of employee safety
EOC mobolization
Relocation to alternate site
Recovery at affected site
Workaround options
Outsourcing
return to normal operation
Figure 5-1 Three phases of a Business Continuity Strategy
Step 5 Do Not Forget Pre-Disaster Protection and Mitigation
To successfully resume operations as planned, the damage to the supporting
resources should be contained, to the extent that early repair and restoration
would be possible. If such important resources sustain very severe damaged,
your company may fall into a disaster scenario, and be forced to give up the
recovery effort, or shut down for a long period of time. This would be the end
of the business and therefore, the story! This is why pre-incident strategies of
protection and mitigation are very important.
In Step 4 (Form 4-2) you identified which resources require that measures
be taken to achieve your company’s Recovery Time Objective (RTO). Those
identified resources are vulnerable and might hinder the achievement of your
RTO. In this step, you will select resources that require protection and mitigation
measures and determine the details of those measures in order to avoid a level
of damage that would make it impossible to recover your Prioritized Activities
by the established RTOs.
In Form 5-1, enter (1) resources that require measures be taken, (2) objectives
of those measures, (3) what measures to take, (4) specific plans for taking those
measures, (5) implementation deadlines, and (6) the department in charge of
implementation.
15
BCP Guidebook 2013
Form 5-1 Protection and Mitigation Measures for Key Resources (sample)
Resources Objectives What To Do Your Plan
Implementation Deadlines
Department in
Charge
Immediately Within1 year Mid to Long Term
Personnel Keep personnel safe
Provide instructions
on evacuation safety
Make an evacuation
plan and disseminate it to
employees
Conduct evacuation drills
General affairs
dept.
Buildings
Protect/mitigate
damage to buildings
Check earthquake-
resistance of
buildings
Check earthquake-
resistance of the building
in which the headquarters
is located
General affairs
dept.
Make buildings
earthquake-resistant
Make the headquarters
building earthquake-
resistant
General affairs
dept.
Facilities
Protect/mitigate
damage to facilities
Install restraints to
prevent equipment
from falling over
Fix machine tools to the
factory oor
Manufacturing
dept.
Systems
Protect/mitigate
damage to buildings
Install restraints to
prevent computers
from falling over
Put servers at
headquarters in a server
rack
Information
systems dept.
16
BCP Guidebook 2013
Step 6 Emergency Response to Disaster
In Step 6, you consider immediate necessary responses to take, when the
incidents occurs, to prevent the emergency situation from becoming an
uncontrollable crisis. It is called emergency response or incident response.
The first priority of emergency response is to protect and rescue people.
Stabilization, to remove harm and secure premises, ensure safety and security
of yourself, staff and customers protection of assets, and prevention of further
damage. The potential for secondary disasters should also be considered.
First, you should understand the general picture of emergency response. As
shown in Figure 6-1, there are a series of necessary activities in an emergency
response. These activities have to be carried out, following necessary timelines
and without delay. “(1) Evacuation and rescue” should start immediately by
individual people when an incident occurs. Emergency Operation Center (EOC)
should be called, if necessary, to take coordinated measures under unified
command in your company. The activities of (3) to (8) are performed by the
Emergency Operation Center, if it is set up.
The main necessary activities are (1) Evacuation and rescue, (2) Setting up
Emergency Operation Center, (3) Safety confirmation of employees, (4)
Stabilizing the situation and prevention of secondary damage, (5) Survey
of damage, (6) Assets protection, (7) Safety confirmation of employees’
commuting, and (8) Gathering and sharing information of incident/damage.
These eight activities are described in further detail below.
Safety Confirmation
of employees
Safety Confirmation of
employee’ s commuting
Stabilizing the situation and
prevention of secondary damage
Survey of damage
Assets protection
Gathering and sharing information of incident/ damage
Evacuation
and rescue
Emergency response to disaster
strarting up continuity/ recovery strategy
Emergency Operation Center
Figure 6-1 Emergency response to disaster
17
BCP Guidebook 2013
(1) Evacuation and Rescue
First, your company should have a general evacuation plan, which includes
evacuation procedures, evacuation sites, evacuee guidance procedures,
and names of evacuation activity leaders. You will use Form 6-1 to create
your company’s evacuation plan. You need to make sure all employees
understand the evacuation plan and are able to safely evacuate as planned.
Many companies give all employees a small emergency card containing such
key information as what actions to take, where to evacuate, and emergency
contacts. Employees are asked to carry the card with them at all times so that
they can refer to it whenever necessary. Such an emergency card is highly
recommended.
Form 6-1 Evacuation and Rescue Plan (sample)
Ofce/Factory Head ofce
Evacuation site
(meeting place)
Parking lot in front of the head ofce building
Leader
Person in charge: Manager of the general affairs department
Assistant: Deputy manager of general affairs department
Person in charge of rescue and
medical care
Person in charge: Manager of general affairs department
Assistant: Deputy manager of the general affairs department
Hospital
(name, address, telephone number)
Name: ○○hospital
Address: ○○○
Tel: **-****-****
In case of a natural disaster such as an earthquake or flood, the infrastructure
(such as the traffic network) may be damaged. Your employees may not be
able to get home and may have to stay on the company’s premises or at an
emergency shelter. Your company needs to prepare food, water, and other
supplies (e.g., blankets, radios) for employees, and it is recommended to store
enough necessary supplies (e.g., food and water) to shelter them for 3 days (see
Form 6-5).
(2) Setting up an Emergency Operation Center
When an incident occurs that could affect your business, the company has to
respond immediately to protect its people and operations. It is critical not to
succumb to panic or chaos, but to behave calmly and make the best decisions
possible while taking the necessary measures under the circumstances. In order
for the company to carry out those activities in a unified and coordinated
manner, you should establish an Emergency Operation Center (EOC) that can
serve as a central command center.
The EOC’s framework, members, duties, and procedures must be decided on
in advance and put down on paper. Form 6-2 will assist you in creating an EOC
framework for your company.
18
BCP Guidebook 2013
a) EOC Leader
The leader is in charge of the overall activities of the EOC. The deputies must
also be identified who will take over for the leader when he/she is absent.
The order of succession for the authority and responsibilities of the leader
should also be decided.
b) EOC members and roles
The members of the EOC should be appointed and a list of their names
created and periodically updated. EOC members are required to convene
at the EOC whenever the EOC is mobilized. EOC members must be selected
from among those employees who would be able to convene on short
notice. Form 6-2 lists the four functions shown below. If the size of the
company requires, a team can be formed to carry out each function. You
should decide on your company’s EOC framework and the functions that
best suit your company's needs.
1.Analysis and planning
2.Information gathering
3.Site operations
- Stabilization
- Rescue and medical care
- Confirmation of employee safety
- Sanitation
- Logistics
4.Public relations
This function is for keeping internal and external stakeholders informed about
the status of the company.
c) EOC mobilization criteria
When should an EOC be mobilized? You must decide the thresholds that
must be met for the EOC to be mobilized and its members called to duty.
You can establish these criteria by incident type and magnitude, such as “an
earthquake measuring 6 on the Richter scale” or "a flood warning is issued.”
d) EOC locations
The location where EOC members are to convene must be decided in
advance. You should prepare for a situation in which your first choice
location (e.g., the head office building) is unusable by selecting alternate
EOC locations as well. EOC centers (including alternate sites) should
be prepared for mobilization at any time, and thus equipped with
communication equipment, IT and office equipment, and other supporting
resources.
19
BCP Guidebook 2013
Form 6-2 Emergency Operation Center (sample)
Members
Roles department/ name Tel
Leaders
(including deputies)
CEO/ ○○○○
Director/ ○○○○
Director/ ○○○○
**-****-****
**-****-****
**-****-****
Analysis and planning ○○dept./ ○○○○ **-****-****
Information function ○○dept./ ○○○○ **-****-****
Site operation function
(stabilization, rescue and medical
care, conrmation of employee
safety, sanitation, logistics)
○○dept./○○○○
○○dept./ ○○○○
○○dept./ ○○○○
○○dept./ ○○○○
○○dept./ ○○○○
**-****-****
**-****-****
**-****-****
**-****-****
**-****-****
Public relations ○○dept./ ○○○○ **-****-****
Mobilization
thresholds
- Earthquake measuring 6 on the Richter scale
- Flood warning is issued
Meeting place
(including
alternate
locations)
Order of
priority
Workplace Address Tel
1 Head ofce ○○○○ **-****-****
2 A ofce ○○○○ **-****-****
3 B factory ○○○○ **-****-****
(3) Confirmation of employee safety
You must establish procedures for confirming the safety of your employees in
advance. You will have to make sure that all employees promptly follow the
established procedures in the event of a disaster. Your company should test
its procedures by conducting drills, as these show how well employees follow
the established instructions and how long it takes to complete a confirmation
of the safety of all employees. Your safety confirmation procedures should
include a way for employees to contact the company. Multiple means of
communication should be identified (e.g. phone calls, e-mail, and Internet
bulletin board) so that redundancies are built in. Remember the lesson learned
from the catastrophic Great East Japan Earthquake of March 2011 (M9.0),
after which the mobile phone network was non-operational across a wide area
due to extensive damage and congestion. Since such risks are inherent when
relying on a single mode of communication that utilizes the mobile phone
network, backup methods must be identified.
Form 6-3 is an employee contact list with columns for each employee's
department, name, telephone number, and e-mail address. This form can also
be used as a checklist when confirming employee safety.
Form 6-3 Emergency Contact list (sample)
Department Name
Telephone
number
E-mail address
Safety status
(to be entered in an emergency)
○○dept. ○○○○ **-****-**** ****@***.***.***
○○dept. ○○○○ **-****-**** ****@***.***.***
○○dept. ○○○○ **-****-**** ****@***.***.***
20
BCP Guidebook 2013
(4) Confirmation of safe commuting conditions
When a disaster affects a widespread area across an entire region, the social
infrastructure may be damaged. Your company has to decide whether it is safe
to let employees go home or whether they will need to stay on the premises.
You can do this by monitoring disaster and traffic information.
(5) Stabilization of the situation and prevention of secondary damage
When an incident occurs and creates a dangerous situation, you must work
on stabilizing the situation to ensure employee safety and prevent secondary
damage. This may include efforts to fight fires or prevent the spread of harmful
substances.
(6) Survey of damage
Once the situation has been stabilized and safety has been secured, the
damage to your company should be immediately surveyed. Your company will
have to decide on any necessary repair and recovery plans, and must start on
its recovery process as soon as possible. A sample survey form is shown in Form
6-6.
(7) Asset protection
Based on the damage survey results, you must protect and preserve your
facilities and equipment. For example, you will want to take measures to
prevent the damage from spreading and to secure your assets against theft.
(8) Compilation and sharing of information
When a disaster hits your region, it is critical that you gather the following
information using various media, including television, radio, and the Internet:
-Disaster details
-Damage to the region (including the status of essential services and traffic
conditions)
-Alerts and warnings from central/local government authorities
Your company should maintain communication with stakeholders such as
suppliers, customers, public agencies, and financial institutions by gathering
and sharing relevant disaster information. It is important to give your business
partners status updates and information on your recovery plans so as to
maintain your business relationships while you are engaged in recovery efforts.
Form 6-4 is a sample External Contact List.
21
BCP Guidebook 2013
Form 6-4 External Contact List (sample)
External Partners Name Tel. E-mail address
Status
(complete when an incident occurs)
Materials & Parts
Suppliers
○○○○ **-****-**** ****@***.***.***
○○○○ **-****-**** ****@***.***.***
○○○○ **-****-**** ****@***.***.***
Logistics Service
Providers
○○○○ **-****-**** ****@***.***.***
○○○○ **-****-**** ****@***.***.***
○○○○ **-****-**** ****@***.***.***
Equipment
Maintenance Co.
○○○○ **-****-**** ****@***.***.***
○○○○ **-****-**** ****@***.***.***
○○○○ **-****-**** ****@***.***.***
Customers
○○○○ **-****-**** ****@***.***.***
○○○○ **-****-**** ****@***.***.***
○○○○ **-****-**** ****@***.***.***
Financial
Institutions
○○○○ **-****-**** ****@***.***.***
○○○○ **-****-**** ****@***.***.***
○○○○ **-****-**** ****@***.***.***
Public
Agencies, Local
Government
Ofces
○○○○ **-****-**** ****@***.***.***
○○○○ **-****-**** ****@***.***.***
○○○○ **-****-**** ****@***.***.***
Essential Service
Providers
○○○○ **-****-**** ****@***.***.***
○○○○ **-****-**** ****@***.***.***
○○○○ **-****-**** ****@***.***.***
22
BCP Guidebook 2013
Form 6-5 Storage List for Disasters
Categories Items Numbers of items to prepare
Food / Water Drinking water 3 liters/person for 3 days
Emergency food 3 day supply/person
Living supplies
Sanitation supplies (tissues, wet
tissues, toilet paper, etc.)
3 days
Utensils Necessary numbers for people
Portable toilets 3 days
Plastic bags, tape Equal to the number of people
Blankets, sleeping bags Equal to the number of people
Portable gas and stoves 3 days
Pots and kettles 3 each
Pocket warmers 3 day supply/person
Oil heaters, oil Fuel for 3 days
Medical supplies First aid kits Equal to the number of people
Folding stretcher 3
Tools
Tools (crow bar, pliers, hammer,
shovel, cloth tape, stepladder)
3 each
Helmet and gloves Equal to the number of people
Plastic sheets, tarps 3 sheets (10m×10m)
Garbage cans, buckets 3 each
Support for getting people
home
Rainwear Equal to the number of people
Maps Equal to the number of people
Information gathering,
communication
Radios, dry batteries 3 each
Cell phone chargers 3 units per each model
Loudspeakers 3 units
Other Generators, generator fuel 2 units of fuel for 3 days
23
BCP Guidebook 2013
Step 7 BC Strategies to Early Resumption
In Step 7, you develop your company’s Business Continuity Strategies (BC
Strategies) for resumption of Prioritized Activities (PAs) within Recovery Time
Objectives (RTOs). You need to identify and prepare the internal and external
supporting resources that are necessary to resume those activities.
There are key concepts for planning your BC Strategies that you need to
consider to resume Prioritized Activities (PAs). In considering the concepts of BC
Strategies, you are going to make plans for your own BC Strategies to achieve
RTO of PAs.
Strategy 1: Resume PA at the damaged/affected site.
Strategy 2: Resume PA at an alternative site (either in-house or external facility)
Strategy 3: Resume PA by alternative methods (or workaround methods)
Form 6-6 Damage Survey Form
Surveyed location
Employee injuries Injured employees Names:
Damage to buildings
Appearance Large/ Medium/ Small/ None
Inside Large/ Medium/ Small/ None
Safe entry Yes/ No
Damage to assets
Equipment (Damaged equipment / number of items)
Communication equipment (Damaged equipment / number of items)
IT apparatus (Damaged equipment / number of items)
Fixtures and ttings (Damaged items / number of items)
Vehicles (Damaged vehicles / number of items)
Damage to essential
services
Electricity Available/ Not Available
Gas Available/ Not Available
Water Available/ Not Available
Landline phone service Available/ Not Available
Mobile phone service Available/ Not Available
Internet Available/ Not Available
Neighboring situations
Fire Available/ Not Available
Other
Business continuity Disrupted/ Not Disrupted
Visitors (Injured people)
Others
24
BCP Guidebook 2013
Your BC Strategies might be a combination of the above three strategies.
In the very early stage of your recovery planning, you have to decide where
your company will restart critical operations (or PAs). One strategy is to resume
at the damaged or affected site, another is to resume at an alternative site.
Both strategies are necessary. Your company should be prepared for a scenario
when the main facilities, such as, headquarter building or main factory are not
usable. For SMEs that have limited resources, it might be very hard to prepare
an alternate site. SMEs may only have one option to prepare a BC Strategy- to
restore damage and recover at the affected site. You should remember that
your company will be defenseless if your key facility is damaged to the extent
that it becomes unusable. In the mid to long term, you should consider how to
deal with this challenge. This process is not simply a paper exercise. The owner
and/or senior management has to make business decisions as to how and
where to recover prioritized activities from the disruption.
Form 7-1 summarizes the BC Strategies for your company, and should be
completed based on the concepts listed above. Enter your selected BC
Strategy into the appropriate column of the form. Let’s start with BC Strategy to
resume at the damaged/affected site.
Strategy 1: You have to restore the damaged resources. The buildings
and equipment/machinery may be damaged, and assistance by external
construction company and machinery experts may be necessary. Essential
services such as electricity, gas, and water are necessary to resume disrupted
operations. Recovery of such essential services to your company may become
the key to your company resuming operations. Therefore, you should estimate
how soon those public companies are able to resume services. You may need
to review your BC Strategy based on essential service restoration periods. The
next strategy is to resume at an alternative site.
Strategy 2: You need to consider the location of the alternative site, and see
if it is sufficiently distant from the current site and therefore is less likely to have
been impacted/damaged by the same disaster. You should make sure that
the essential services your company needs, are not be affected and will be
available. This strategy requires that all necessary resources, for example,
buildings, equipment, and machinery are available at this site. You also need to
consider how to transfer the workforce, and that supplies of materials and parts
are transported to this site. It will be important that you have built relationships
with your suppliers, as you will need to find other sources of assistance and seek
also corporation from external partners. This strategy is to resume PA by the
alternative method.
Strategy 3: This strategy can be used in strategy 1: damaged site recovery and
strategy 2: alternative site recovery. For example, old reserve equipment is used
to replace the damaged, newer equipment. Manual work by human hand
replaces disrupted IT systems. Your company selects what alternate methods
that fit your company’s operations. You also need to identify what kind of
assistance is necessary from external partners.
25
BCP Guidebook 2013
External business partners can have significant impact on your business
operations and BC Strategies. You cannot control your business partners.
Therefore, what can you do with external partners in your BC Strategies? This
will depend on your business relationship, but here some measures you can
take to help mitigate the risk. First of all, you can check their preparedness
levels in disaster management and BCP. Are they supportive of these matters
or not interested at all? If they are interested, it is recommended to exchange
what you and your partners have been doing in disaster management and
BCP. It would be more desirable that you and your partners have periodical
meetings and plan joint meetings or exercises.
Form 7-1 Continuity Strategy Summary
Continuity Strategy Summary
Priority Strategy Outline
Activities to
Resume
Key
Resources
(bottleneck
resources)
Necessary
External
Partners
Strategy 1: Resume at the damaged/affected site
(ex.)
Restore damaged buildings and
equipment and resume PA
Strategy 2: Resume at an alternate site
(ex.)
Start up an alternate factory/
ofce / shop
(ex)
Activate back-up IT center
Strategy 3: Resume using alternate methods
(ex)
Start up using older methods,
using spare (old) equipment
Strategy: Other
Now that you have decided on your company’s BC Strategy using Form
7-1, you need to identify the resources necessary for executing this strategy.
Complete Form 7-2 to identify the necessary resources for each BC Strategy
listed in Form 7-1. You will prepare Form 7-2 for each BC Strategy. At the top
of Form 7-2, enter the Prioritized Activity and strategy outline you are going to
consider. There are columns of resources categorized into three groups: internal
resources, essential social services, and external partners (same as Form 3-1).
26
BCP Guidebook 2013
Form 7-2 BC Strategy Planning sheet
Prioritized Activity Strategy Outline
Categories Resources
What’s to
be done /
needed
Details of
Measures
To be done by when
Department
in charge
Short
Term
Mid- Long
Term
Internal
Resources
Building
Equipment /
Machinery
Stock
People
IT System
(others )
Essential
Social
Services
Electricity/Gas/
Water
Phone/
Communication
Trafc / Roads
(others )
External
Partners
Suppliers
Customer
(others )
Next, enter the necessary measures in the relevant column for each resource.
In this process, you should check your review results in Form 4-2, the Resource
Damage Estimate Sheet (see column 8 where you identified which resources
are needed for achieving the RTO). For the resources identified, decide
what measures should be taken from the perspective of preventing and/or
minimizing damage and expediting restoration.
The resources that are critical in determining the restoration period required (or
bottleneck resources) should be carefully reviewed. Particular attention should
be paid to finding out how soon those resources that are not under your control
will be become available to you. You may need to flexibly revise your RTO and
BC Strategy based on that review. Enter the deadline for implementing each
measure, indicating whether it must be implemented in the short term (within 1
year) or the mid to long term (2 to 3 years or more). Also enter the departments
in charge of those measures. Once Form 7-2 has been completed with the
designated departments and deadlines, you can use the form for managing
progress on the implementation of measures. As stated above, this process
27
BCP Guidebook 2013
takes more than mere paperwork; it requires management decisions to be
made by the business owner (or top management) in cooperation with their
BCP Team. It is very important that top management exercise its leadership in
implementing BC Strategies.
Your outside business partners have a significant impact on your business
operations and BC Strategies. Since you cannot control your business
partners, what role do they play in your BC Strategies? It depends on your
business relationship you have with them, but you can start by checking into
their preparedness levels by asking about their disaster management and
BCP programs. Are they aware of such matters or uninterested? If they are
interested, both parties would be well served by sharing what they are doing
in terms of their disaster management and BCP activities. Ideally, you and your
partners would hold regular meetings on this topic and plan joint meetings or
exercises.
Step 8 Be Financially Prepared
Can you survive financially
if your operation is disrupted
for one or two months?
The objective of Step 8 is
to recognize the financial
conditions of your company
in case of an emergency,
and to prepare appropriate
measures in advance, to
avoid bankruptcy even if
income is suspended. If your
company’s operation is
suspended, your company
will lose revenue but still be
required to pay ordinary
expenditure such as, payroll
and rent. And if your facilities are damaged, you will need cost recovery of
your damaged facilities. What you need to do in Step 8, is to estimate how
much money will needed if your company sustains damage by a disaster ; and
consider measures that could be taken to fulfill any shortage. Key factors to
consider in your financial analysis include.
- Understand how much revenue will decrease due to business disruption
(Section 1)
- Estimate how much the recovery costs will be to resume your business
operations (Section 2)
- Recognize how much ordinary expenditure will be incurred during disruption
(Section 3)
Revenue
Disaster
Expenditure
Deficit
Resumption
Need to prepare
measure to fulfill
the shortage
Figure 8-1 Deficit Occurs After Disaster
28
BCP Guidebook 2013
- Calculate the level of funds needed to fulfill the shortage. (Section 4)Note: It is
recommended that a company should reserve cash and deposits equivalent
to its one month revenue.
You can assess your financial status by completing Form 8-1.
(1) Check your available funds
You should check the amount of funds that you have on hand in reserves or
that would otherwise be available if needed during a business disruption. First,
fill in the total amount of available funds in Form 8-1. Examples of available
funds include cash, deposits, and short-term securities. Additionally, your
company might be able to get private funding from an owner of the company.
Next you should check your company’s insurance policies. Find out what types
of insurance policies your company has and whether such insurance policies
cover the disaster or accident in question. Also find out how much coverage
you have. You should be aware that in most cases, it takes some time for
insurance payouts to be made due the time required for investigations and
settlement negotiations.
The bottom line of Form 8-1 shows the total amount of available funds (A).
Form 8-1 Available Funds (sample)
Type Amount Other
Cash and Deposits 100,000
Insurance 50,000 Fire / Flood /Earthquake
Available Funds (A) 150,000
(2) Estimate recovery costs
Next you will assess the expenditures your company would incur as the result
of a disaster and during the disruption period. You have already estimated
damages and restoration periods for your important resources (Steps 4, 5, 6,
and 7). Now you have to do some guesswork regarding how much it would
cost to repair and restore the damaged resources that are essential to the
resumption of your Prioritized Activities. Estimate the recovery cost for each
main category of resources, as shown in Form 8-2. Buildings, equipment and
machinery, fixtures and fittings, and inventory are listed as examples. Enter the
expected total recovery cost for each category. The bottom line of Form 8-2
shows the total amount of estimated recovery costs (B).
Form 8-2 Recovery Costs
Recovery Cost Amount Other
Building 10,000
Equipment and machinery 5,000
Fixtures and ttings 5,000
Inventory 5,000
Total Recovery Costs (B) 25,000
29
BCP Guidebook 2013
(3) Summarize ordinary expenditures
There are ordinary expenditures that your company has to pay even during a
disruption. These expenses include fixed costs such as payroll and rents on real
estate and warehouses, as well as variable costs such as debt payments. You
need to know the total monthly amount of your ordinary expenditures during a
disruption period. Use Form 8-3 to enter the expense items and total amounts.
The bottom line shows the total ordinary expenditures (C).
Form 8-3 Ordinary Expenditures
Ordinary Expenditure Amount Other
Payroll
Purchased supplies
Rent
Others
Total Ordinary Expenditures (C)
(4) Assess cash flow status
By completing processes (1), (2) and (3) above, you will have obtained the
total amounts of your available funds (A), recovery costs (B), and ordinary
expenditures (C). Enter those amounts in Form 8-4 and calculate the balance
(=A-B-C). If the balance is negative, your company will have a shortfall in
necessary funds. If it is positive, your company is likely to have sufficient funds
for weathering a disruption.
Form 8-4 Financial Status Sheet
Available Funds (A)
Recovery Costs (B)
Ordinary Expenditures (C)
Balance (=A-B-C)
(5) Financial measures
If the balance shown in Form 8-4 is negative (indicating a fund shortage), your
company needs to take financial measures to make up for that shortfall. You
may need to increase available funds by taking out a loan from your bank or
by cutting down on redundant costs to decrease expenditures. In many cases,
the national and local governments provide low interest disaster loans for SMEs
that have been affected financially by a disaster. It is therefore important to
research what kinds of financial support programs might be available to your
company.
30
BCP Guidebook 2013
Form 8-5 Financial Measures (sample)
Financial Measures Amount Detail
(example) Borrow from bank 100,000
Check the amount every
December
(example) Disaster loan 150,000 Apply when hit by a typhoon
Step 9 Exercise Makes Your Plan Functional
In Steps 5, 6, and 7, your company has made various plans of BC Strategies.
Below are questions related to some of those plans. How confident can you
answer "Yes" to the following questions?
- Can all employees (and customers) evacuate promptly and safely, following
your evacuation plan?
- Can all employees call your emergency phone number to report safety
confirmation?
- Can EOC members gather properly and immediately at the meeting place
and undertake their designated role?
Planning and executing plans are different tasks. Your company’s Business
Continuity Plans should effectively work in the case of an emergency as
planned. The purpose of exercise is to ensure that your company’s plans
work effectively and achieve its objectives. Exercise is intended to not only
test its performance, but also to empower employees and provide them with
education and training to enhance their knowledge and expertise.
Some examples of the main exercises are listed below.
- Evacuation Drill: test and practice safe and prompt evacuation to the
designated location.
- Safety Confirmation Exercise: test and practice employees’ emergency calls
and safety confirmation.
- Launching EOC Exercise: test and practice starting up EOC launch and
conducting designated roles by EOC members.
- Backup Data Recovery Exercise: test and practice recovery by backing up
data.
- Re-starting Operation Exercise: test and practice resuming operations after
disruption.
- Launching Alternative Site Exercise: test and practice starting up operations
at an alternate site.
31
BCP Guidebook 2013
There are many types of exercises that can be conducted. It is recommended
that you conduct any exercises that your company thinks necessary and
feasible. You can increase the level of complexity of your exercises and adopt
different types of exercises to improve your company’s business continuity
capabilities.
Use Form 9-1 to create an exercise plan for your company. The post-exercise
review is important for identifying any deficiencies or problems, so that your
company can make any necessary improvements.
Form 9-1 Exercise Plan
Type of Exercise Aim Target Group Date of Exercise Post Review
6. PDCA: Continuous Improvement
Business Continuity Plan refers to your company-wide efforts to develop your
capabilities for resuming critical operations (Prioritized Activities) after a
disruption caused by a disaster. It is not easy to establish such capabilities in
a short period of time, but it is essential to continuously improve and enhance
them over time. We strongly recommend that you utilize the PDCA Cycle (Plan,
Do, Check, Act) for your company’s continuous BCP improvement.
Step 10 Ongoing Review and Improvement
You have already gone through the first
two phases (Plan and Do) of four phases.
In Step 10, you finish the remaining
Check (monitor and review) and Act
(maintain and improve) phases.
(1)Review and Check Your BCP
To make your company’s BCP most
effective, you should monitor and review
your company’s BCP activities. Your
entire BCP activities – before, during and
after an incident - should be reviewed.
Use Form 10-1 to assist in this process,
proceeding through each of the 10 steps
outlined in this Guidebook.
Business Continuity
Planning System
PDCA cycle
Act
Maintain and
improve
Plan
Establish
Check
Monitor and
review
Do
Implement
and operate
BCM
Business Continuity
Management
32
BCP Guidebook 2013
You should ask the following questions for the review of each step.
- Are BC activities (which have been decided and planned) effectively done?
- Are there any tasks and problems for improvement?
- Are there any changes to internal and external circumstances which are
needed to be considered?
- Are there any areas or items which were not included in your BCP, but should
be included?
Form 10-1: BCP Review Form
Step Items to Review and Check
Related
Forms
Currently
Effective
Changes
in Business
Environment
Issues to
Review
1
BCP Framework
Purpose, scope, BCP leaders
and team members
1-1,
1-2,
1-3
Y/ N
2
Prioritized activities, recovery
time objectives
3
Supporting resources
Bottleneck resources
4
Surrounding risks Expected
damages
5
Protection and mitigation
measures
6
Emergency response, EOC,
safety conrmation, risk
communication
7
Continuity and recovery
measures
8 Exercises, training
9
Cash ow for emergencies
Financial measures
10
Monitor, review, and
improvement
33
BCP Guidebook 2013
This review and check process should be conducted periodically, at least
once per year. If there is any business environmental change in your company,
such as, change of partner companies (suppliers or vendors), core business
operations (products or services), IT system or M&A, location changes etc.,
you should pay attention to possible effects of these changes. These factors
may have not been considered or may have been omitted in your reviews,
and therefore, you may need to reconsider and make the necessary changes
to your BCP activities. It is important to periodically review and not miss the
opportunity to update your BCP. These internal reviews are usually done by BCP
teams, lead departments and internal audit departments.
(2) Management Review
In addition to the above Review and Check processes, senior management
have to proactively initiate a review of the company’s BCP at least annually,
and ensure that your company’s BCP has been managed effectively and
the PDCA cycle is working. Form 10-2 is for management review. It should be
understood that management review works as strong drive to cycle PDCA
cycle.
Form 10-2 Management Review Sheet
Check & Review Items Person in Charge Due Date Top Management
34
BCP Guidebook 2013
Appendix
1. Blank Forms
Form 1 BCP Framework
Form 2-1 Impact Level Comparison Chart
Form 2-2 Maximum Tolerable Period of Disruption
Form 2-3 Prioritized Activities and RTOs
Form 3-1 Necessary Resources for Prioritized Activities
Form 4-1 Risk Impact and Likelihood Comparison Chart
Form 4-2 Resource Damage Estimate Sheet
Form 5-1 Protection and Mitigation Measures for Key Resources
Form 6-1 Evacuation and Rescue Plan
Form 6-2 Emergency Operation Center
Form 6-3 Emergency Contact List
Form 6-4 External Contact List
Form 6-5 Storage List for Disasters
Form 6-6 Damage Survey Form
Form 7-1 Continuity Strategy Summary
Form 7-2 BC Strategy Planning Sheet
Form 8-1 Available Funds
Form 8-2 Recovery Costs
Form 8-3 Ordinary Expenditures
Form 8-4 Financial Status Sheet
Form 8-5 Financial Measures
Form 9-1 Exercise Plan
Form 10-1 BCP Review Form
Form 10-2 Management Review Sheet
2. BCP Checklist
35
BCP Guidebook 2013
1.Blank Forms
Form 1
BCP Framework
BCP Purpose
Protect People
Protect Business
Activities
Recover with Local Community
BCP Leader and Team
BCP Leader
BCP Team Members
BCP Scope
Departments to introduce BCP
36
BCP Guidebook 2013
Form 2-1
Impact Level Comparison Chart
Department Handling Each
Product/ Service
Impact Levels
External Impact Internal Impact
L : M : S L : M : S
L : M : S L : M : S
L : M : S L : M : S
L : M : S L : M : S
L : M : S L : M : S
L : M : S L : M : S
L : M : S L : M : S
L : M : S L : M : S
37
BCP Guidebook 2013
Form 2-2
Maximum Tolerable Period of Disruption
Form 2-3
Prioritized Activities and RTOs
Departments Handling
Each Product/Service
Time When Impact Becomes Unacceptable
MTPD
Recovery Time
Objective (RTO)
Product / Service A ~ 3 ds ~1 wk ~ 2 wks ~ 1 mo ~ 2 mos.
Product / Service B ~ 3 ds ~ 1 wk ~ 2 wks ~ 1 mo ~ 2 mos.
Product / Service C ~ 3 ds ~ 1 wk ~ 2 wks ~ 1 mo ~ 2 mos.
~ 3 ds ~ 1 wk ~ 2 wks ~ 1 mo ~ 2 mos.
~ 3 ds ~ 1 wk ~ 2 wks ~ 1 mo ~ 2 mos.
Prioritized Activity(ies)
Recovery Time
Objective(s)(RTO)
38
BCP Guidebook 2013
Form 3-1
Necessary Resources for Prioritized Activities
Type of Resources Contents
Internal
Resources
Building
Equipment / Machinery
Inventory
People
IT System
Fund
Other:
Essential
Social
Services
Electricity
Gas
Water
Phone / Communication
Trafc / Roads
Other:
Supplies
Direct supplier
2nd, 3rd Supplier
Customer
Other:
39
BCP Guidebook 2013
Form 4-1
Risk Impact and Likelihood Comparison Chart
Risk Impact Likelihood Priority
HMLHML
HMLHML
HMLHML
HMLHML
HMLHML
HMLHML
HMLHML
HMLHML
HMLHML
HMLHML
HMLHML
HMLHML
40
BCP Guidebook 2013
Form 4-2
Resource Damage Estimate Sheet
Risk Assumed recovery period
Need
measures
Assumed damage
Day
Day (shown by graph)
Necessary resources Damage 3ds 1wk 2wks 1mo 2mos 3mos
Internal
Resources
Building
Equipment /
Machinery
Inventory
People
IT System
Fund
Other:
Essential Social
Services
Electricity
Gas
Water
Phone /
Communication
Trafc / Roads
Other:
Supply
Direct supplier
2nd, 3rd Supplier
Customer
Other:
41
BCP Guidebook 2013
Resources Objectives What To Do Your Plan
Implementation Deadlines
Department in
Charge
Immediately Within 1 year
Mid to Long
Term
Form 5-1
Protection and Mitigation Measures for Key Resources
42
BCP Guidebook 2013
Form 6-1
Evacuation and Rescue Plan
Ofce/Factory
Evacuation Site
(meeting place)
Leader Person in charge;
Assistant;
Person in charge of
rescue and medical
care
Person in charge;
Assistant;
Hospital (name, address, telephone number)
43
BCP Guidebook 2013
Form 6-2
Emergency Operation Center
Members
Roles Department/ name Tel
Leaders
(including deputies)
Analysis and planning
Information function
Site operation function
(stabilization, rescue and medical
care, conrmation of employee
safety, sanitation, logistics)
Public relations
Mobilization
thresholds
Meeting place
(including
alternate
locations)
Order of priority Workplace Address Tel
1
2
3
44
BCP Guidebook 2013
Form 6-3
Emergency Contact List
Department Name Tel E-mail address
Safety status to
be entered in an
emergency
45
BCP Guidebook 2013
Form 6-4
External Contact List
External Partners Name Tel. E-mail address
Status
(complete when
an incident
occurs)
46
BCP Guidebook 2013
Form 6-5
Storage List for Disasters
Categories Items Numbers of items to prepare
Food / Water
Drinking water 3 liters/person for 3 days
Emergency food 3 day supply/person
Living supplies
Sanitation supplies (tissues, wet tissues,
toilet paper, etc.)
3 days
Utensils Necessary numbers for people
Portable toilets 3 days
Plastic bags, tape Equal to the number of people
Blankets, sleeping bags Equal to the number of people
Portable gas and stoves 3 days
Pots and kettles 3 each
Pocket warmers 3 day supply/person
Oil heaters, oil Fuel for 3 days
Medical supplies
First aid kits Equal to the number of people
Folding stretcher 3
Tools
Tools (crow bar, pliers, hammer, shovel,
cloth tape, stepladder)
3 each
Helmet and gloves Equal to the number of people
Plastic sheets, tarps 3 sheets (10m×10m)
Garbage cans, buckets 3 each
Support for getting
people home
Rainwear Equal to the number of people
Maps Equal to the number of people
Information gathering,
communication
Radios, dry batteries 3 each
Cell phone chargers 3 units per each model
Loudspeakers 3 units
Other Generators, generator fuel 2 units of fuel for 3 days
47
BCP Guidebook 2013
Form 6-6
Damage survey form
Surveyed location
Employee injuries Injured employees Names:
Damage to buildings
Appearance Large / Medium / Small / None
Inside Large / Medium / Small / None
Safe entry Yes / No
Damage to assets
Equipment (Damaged equipment / number of items)
Communication
equipment
(Damaged equipment / number of items)
IT apparatus (Damaged equipment / number of items)
Fixtures and ttings (Damaged items / number of items)
Vehicles (Damaged vehicles / number of items)
Damage to essential
services
Electricity Available/ Not Available
Gas Available/ Not Available
Water Available/ Not Available
Landline phone service Available/ Not Available
Mobile phone service Available/ Not Available
Internet Available/ Not Available
Neighboring situations
Fire Available/ Not Available
Other
Business continuity Disrupted/ Not Disrupted
Visitors (Injured people)
Others
48
BCP Guidebook 2013
Form 7-1
Continuity Strategy Summary
Priority Strategy Outline Activities to Resume
Key Resources
(bottleneck
resources)
Necessary External
Partners
Strategy 1: Resume at the damaged/affected site
Strategy 2: Resume at an alternate site
Strategy 3: Resume using alternate methods
Strategy: Other
49
BCP Guidebook 2013
Form 7-2
BC Strategy Planning Sheet
Prioritized Activity Strategy Outline
Categories Resources
What’s to
be done /
needed
Details of
Measures
To be done by when
Department
in charge
Short term
Mid- Long
Term
Internal
Resources
Building
Equipment /
Machinery
Stock
People
IT System
Other:
Essential
Social
Services
Electricity/Gas/
Water
Phone/
Communication
Trafc / Roads
Other:
External
Partners
Suppliers
Customer
Other:
50
BCP Guidebook 2013
Form 8-1
Available Funds
Type Amount Other
Available Funds ( A )
Form 8-2
Recovery Costs
Recovery Cost Amount Other
Total Recovery Costs( B )
51
BCP Guidebook 2013
Ordinary Expenditure Amount Other
Total Ordinary Expenditures (C)
Available Funds (A)
Recovery Costs (B)
Ordinary Expenditures (C)
Balance ( =A-B-C )
Form 8-3
Ordinary Expenditures
Form 8-4
Financial Status Sheet
52
BCP Guidebook 2013
Form 8-5
Financial Measures
Financial Measures Amount Detail
53
BCP Guidebook 2013
Form 9-1
Exercise Plan
Type of Exercise Aim Target Group Date of Exercise Post Review
54
BCP Guidebook 2013
Form 10-1
BCP Review Form
Step
Items to Review and
Check
Related
Forms
Currently
Effective
Changes in Business
Environment
Issues to
Review
1
BCP Framework
Purpose, scope,
BCP leaders and
team members
1-1 Y/ N
2
Prioritized activities,
recovery time
objectives
2-1
2-2
2-3
Y/ N
Y/ N
Y/ N
3
Supporting
resources
Bottleneck
resources
3-1 Y/ N
4
Surrounding risks
Expected damages
4-1
4-2
Y/ N
Y/ N
5
Protection and
mitigation measures
5-1 Y/ N
6
Emergency
response,
EOC, safety
conrmation, risk
communication
6-1
6-2
6-3
6-4
Y/ N
Y/ N
Y/ N
Y/ N
7
Continuity and
recovery measures
7-1
7-2
Y/ N
Y/ N
8 Exercises, training
8-1
8-2
8-3
8-4
8-5
Y/ N
Y/ N
Y/ N
Y/ N
Y/ N
9
Cash ow for
emergencies
Financial measures
9-1 Y/ N
10
Monitor, review,
and improvement
10-1
10-2
Y/ N
Y/ N
55
BCP Guidebook 2013
Form 10-2
Management Review Sheet
Check & Review Items Persons in Charge Due Date Top Management
56
BCP Guidebook 2013
No. Question Steps
Answer
No
Yes-
Partially
Yes
Done
1
Has a BCP Manager been appointed and has a budget for
BCP activities been allocated
?
1
0 2 4
2
Are the BCP purpose, scope and leader well-known
throughout your company
?
1
0 2 4
3
Does upper management take a visible leadership role
in BCP activities and show its commitment to BCP to
employees
?
1
0 2 4
4
Does your company understand what the impacts would
be if the company's operations were to be disrupted for
one week
?
One month
?
2
0 2 4
5
Does your company understand how soon it would have
to resume operations after a disruption to avoid severe
impacts that would threaten the company's survival
?
2 0 2 4
6
Has your company identied which businesses should
be given top priority for the recovery and resumption of
operations
?
2
0 2 4
7
Has your company identied important internal resources
or outside essential services that might create a bottleneck
for business resumption efforts
?
3
0 2 4
8
Has your company already identied necessary materials
or parts which are supplied by a single supplier
?
3
0 2 4
9
Has your company researched the disaster history or
risk information (such as hazard maps) that have been
published by your local government or other organization
?
4
0 2 4
10
Is your company able to withstand the type of natural
disaster (with extensive impacts) that has a higher
probability of occurring than other disasters
?
4
0 2 4
11
Has your company identied which necessary resources
might sustain severe damage as a result of the natural
disaster identied above (question 10), thus becoming an
obstacle for early business resumption
?
4
0 2 4
12
Has your company planned and implemented pre-disaster
protection (prevention) and mitigation measures to protect
the safety and welfare of your employees from expected
disasters
?
5
0 2 4
13
Has your company planned and implemented pre-disaster
protection (prevention) and mitigation measures to protect
your company's assets from disasters (earthquake, oods,
typhoons) and accidents
?
5
0 2 4
14
Has your company prepared an emergency contact list of
employees
?
6
0 2 4
2.BCP Checklist
57
BCP Guidebook 2013
15
Has your company decided on the framework for an
Emergency Operation Center, such as where to gather,
what members are to be called, and the criteria for
mobilization
?
6 0 2 4
16
Has your company made a contact list of customers,
business partners, and authorities
?
6
0 2 4
17
Does your company periodically backup its data
?
7
0 2 4
18
Does your company have an alternate site in place in case
its headquarters or main business location is shut down
?
7
0 2 4
19
Does your company have alternative or temporary
measures in place to replace main equipment (or other
resources) in case primary equipment becomes unusable
?
7
0 2 4
20
Does your company know the disaster management and
business continuity status of suppliers that supply its essential
materials and parts
?
7
0 2 4
21
Do you know how much funding you would be short of if
your company's operations were to be totally disrupted for
one month
?
8
0 2 4
22
Have you checked what kinds of disaster support programs
are available through your local government or other
public organizations
?
8
0 2 4
23
Have you set aside a cash reserve equal to one month of
revenue for disasters
?
8
0 2 4
24
Does your company conduct periodic evacuation drills
?
9
0 2 4
25
Does your company conduct exercises to test that data
can be safely recovered from backup systems
?
9 0 2 4
26
Does your company conduct exercises to practice
mobilizing the Emergency Operation Center
?
9
0 2 4
27
Does your company periodically review its disaster
management and business continuity plans and implement
improvement measures if necessary
?
10
0 2 4
28
Does upper management proactively engage in the
periodic review of BCP activities
?
10
0 2 4
Total Score
58
BCP Guidebook 2013
Your BCP Status Level
Your Tota
Score
Your company is defenseless against disasters and accidents. If a disaster
strikes, your company is very likely to sustain severe damage which may cause
long-term disruption. Your company needs to know the risks that threaten it
and to start considering what can be done to minimize the potential damage
that might be caused by such risks.
0 - 36
Your company is aware of the risks to which it is exposed and has taken some
necessary preparatory measures. However, the expected results of those
measures may be limited. Your company is still exposed to severe damage
because of the weakness of your BCP activities. Be sure to prioritize BCP
activities to make your BCP more effective.
37 -74
Your company has almost established BCP and has implemented measures
that would probably be effective if the risks are within your estimates.
Continue following the PDCA cycle in your BCP activities to enhance your
business continuity preparedness and ensure that you will be able to respond
effectively to an unexpected incident or disaster.
75 - 112
59
BCP Guidebook 2013
Guidebook on SME
Business Continuity Planning
APEC Small and Medium Enterprise Working Group (SMEWG)
August 2013
Asia-Pacific
Economic Cooperation
APEC Project: M SCE 02 11A
Produced by
APEC SME Crisis Management Center
3F, No. 16-8, Dehuei St., Jhongshan District, Taipei 10461, Taiwan
Tel: (886)-2-2586-5000 # 364 Fax: (886)-2-2598-1122
Email: [email protected] Website: www.apecscmc.org
Small and Medium Enterprise Administration, Ministry of Economic Affairs, Chinese Taipei
3F, No. 95, Sec 2, Roosevelt Rd., Taipei 100, Taiwan
Tel: (886)-2-2368-6858 Fax: (886)-2-2367-3914
In Collaboration with
Asian Disaster Reduction Center
Shin-Yurakucho Bldg, 12-1 Yurakucho 1-Chome, Chiyoda-Ku, Tokyo 100-0006 Japan
Tel: (81)-3-6269-3792 Fax: (81)-3-6269-3799
Email: [email protected] / [email protected]
For
Asia Pacific Economic Cooperation Secretariat
35 Heng Mui Keng Terrance Singapore, 119616
Tel: (65) 68919 600 Fax: (65) 68919 690
Email: [email protected] Website: www.apec.org
©2013 APEC Sec
retariat APEC#213-SM-03.1